rpms
/
openssl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

backports from upstream CVS 

fix segfault when /dev/urandom is not available (#809586)
This commit is contained in:
Tomas Mraz 2012-04-05 19:56:49 +02:00
parent 0f0ab24176
commit d7587a26b6
3 changed files with 236 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

226
openssl-1.0.1-backport.patch Normal file
View File

@ -0,0 +1,226 @@
diff -up openssl-1.0.1/apps/s_client.c.backport openssl-1.0.1/apps/s_client.c
--- openssl-1.0.1/apps/s_client.c.backport 2012-03-14 21:15:04.736897459 +0100
+++ openssl-1.0.1/apps/s_client.c 2012-04-05 19:48:40.469998965 +0200
@@ -622,13 +622,7 @@ int MAIN(int argc, char **argv)
SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
#endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_client_method();
-#elif !defined(OPENSSL_NO_SSL3)
- meth=SSLv3_client_method();
-#elif !defined(OPENSSL_NO_SSL2)
- meth=SSLv2_client_method();
-#endif
apps_startup();
c_Pause=0;
diff -up openssl-1.0.1/apps/s_server.c.backport openssl-1.0.1/apps/s_server.c
--- openssl-1.0.1/apps/s_server.c.backport 2012-03-14 21:15:04.690896516 +0100
+++ openssl-1.0.1/apps/s_server.c 2012-04-05 19:48:40.474999072 +0200
@@ -969,17 +969,7 @@ int MAIN(int argc, char *argv[])
char *srpuserseed = NULL;
char *srp_verifier_file = NULL;
#endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_server_method();
-#elif !defined(OPENSSL_NO_SSL3)
- meth=SSLv3_server_method();
-#elif !defined(OPENSSL_NO_SSL2)
- meth=SSLv2_server_method();
-#elif !defined(OPENSSL_NO_TLS1)
- meth=TLSv1_server_method();
-#else
- /* #error no SSL version enabled */
-#endif
local_argc=argc;
local_argv=argv;
diff -up openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport openssl-1.0.1/crypto/aes/asm/aes-armv4.pl
--- openssl-1.0.1/crypto/aes/asm/aes-armv4.pl.backport 2012-03-14 21:15:04.777898297 +0100
+++ openssl-1.0.1/crypto/aes/asm/aes-armv4.pl 2012-04-05 19:51:35.555528155 +0200
@@ -408,6 +408,7 @@ _armv4_AES_encrypt:
.type private_AES_set_encrypt_key,%function
.align 5
private_AES_set_encrypt_key:
+_armv4_AES_set_encrypt_key:
sub r3,pc,#8 @ AES_set_encrypt_key
teq r0,#0
moveq r0,#-1
@@ -425,7 +426,7 @@ private_AES_set_encrypt_key:
bne .Labrt
.Lok: stmdb sp!,{r4-r12,lr}
- sub $tbl,r3,#private_AES_set_encrypt_key-AES_Te-1024 @ Te4
+ sub $tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4
mov $rounds,r0 @ inp
mov lr,r1 @ bits
@@ -685,7 +686,7 @@ private_AES_set_encrypt_key:
.align 5
private_AES_set_decrypt_key:
str lr,[sp,#-4]! @ push lr
- bl private_AES_set_encrypt_key
+ bl _armv4_AES_set_encrypt_key
teq r0,#0
ldrne lr,[sp],#4 @ pop lr
bne .Labrt
diff -up openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport openssl-1.0.1/crypto/aes/asm/aes-s390x.pl
--- openssl-1.0.1/crypto/aes/asm/aes-s390x.pl.backport 2012-03-14 21:15:04.782898400 +0100
+++ openssl-1.0.1/crypto/aes/asm/aes-s390x.pl 2012-04-05 19:50:41.290593267 +0200
@@ -783,6 +783,7 @@ $code.=<<___;
.type private_AES_set_encrypt_key,\@function
.align 16
private_AES_set_encrypt_key:
+_s390x_AES_set_encrypt_key:
lghi $t0,0
cl${g}r $inp,$t0
je .Lminus1
@@ -1068,7 +1069,7 @@ $code.=<<___;
private_AES_set_decrypt_key:
st${g} $key,4*$SIZE_T($sp) # I rely on AES_set_encrypt_key to
st${g} $ra,14*$SIZE_T($sp) # save non-volatile registers!
- bras $ra,AES_set_encrypt_key
+ bras $ra,_s390x_AES_set_encrypt_key
l${g} $key,4*$SIZE_T($sp)
l${g} $ra,14*$SIZE_T($sp)
ltgr %r2,%r2
diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl
--- openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl.backport 2012-03-14 21:15:04.777898297 +0100
+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86_64.pl 2012-04-05 19:48:22.036603157 +0200
@@ -263,7 +263,7 @@ _vpaes_decrypt_core:
pshufb %xmm2, %xmm4 # 4 = sbou
pxor %xmm0, %xmm4 # 4 = sb1u + k
movdqa 0x70(%r10), %xmm0 # 0 : sbot
- movdqa .Lk_sr-.Lk_dsbd(%r11), %xmm2
+ movdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160
pshufb %xmm3, %xmm0 # 0 = sb1t
pxor %xmm4, %xmm0 # 0 = A
pshufb %xmm2, %xmm0
@@ -869,6 +869,8 @@ ${PREFIX}_cbc_encrypt:
___
($len,$key)=($key,$len);
$code.=<<___;
+ sub \$16,$len
+ jc .Lcbc_abort
___
$code.=<<___ if ($win64);
lea -0xb8(%rsp),%rsp
@@ -887,7 +889,6 @@ ___
$code.=<<___;
movdqu ($ivp),%xmm6 # load IV
sub $inp,$out
- sub \$16,$len
call _vpaes_preheat
cmp \$0,${enc}d
je .Lcbc_dec_loop
@@ -932,6 +933,7 @@ $code.=<<___ if ($win64);
.Lcbc_epilogue:
___
$code.=<<___;
+.Lcbc_abort:
ret
.size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
___
diff -up openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl
--- openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl.backport 2012-03-14 21:15:04.775898257 +0100
+++ openssl-1.0.1/crypto/aes/asm/vpaes-x86.pl 2012-04-05 19:48:22.036603157 +0200
@@ -843,6 +843,8 @@ $k_dsbo=0x2c0; # decryption sbox final
&mov ($out,&wparam(1)); # out
&mov ($round,&wparam(2)); # len
&mov ($key,&wparam(3)); # key
+ &sub ($round,16);
+ &jc (&label("cbc_abort"));
&lea ($base,&DWP(-56,"esp"));
&mov ($const,&wparam(4)); # ivp
&and ($base,-16);
@@ -853,7 +855,6 @@ $k_dsbo=0x2c0; # decryption sbox final
&mov (&DWP(48,"esp"),$base);
&mov (&DWP(0,"esp"),$out); # save out
- &sub ($round,16);
&mov (&DWP(4,"esp"),$key) # save key
&mov (&DWP(8,"esp"),$const); # save ivp
&mov ($out,$round); # $out works as $len
@@ -896,6 +897,7 @@ $k_dsbo=0x2c0; # decryption sbox final
&mov ($base,&DWP(8,"esp")); # restore ivp
&mov ("esp",&DWP(48,"esp"));
&movdqu (&QWP(0,$base),"xmm1"); # write IV
+&set_label("cbc_abort");
&function_end("${PREFIX}_cbc_encrypt");
&asm_finish();
diff -up openssl-1.0.1/crypto/evp/p5_crpt.c.backport openssl-1.0.1/crypto/evp/p5_crpt.c
--- openssl-1.0.1/crypto/evp/p5_crpt.c.backport 2011-06-03 22:52:57.000000000 +0200
+++ openssl-1.0.1/crypto/evp/p5_crpt.c 2012-04-05 19:49:01.512450795 +0200
@@ -138,5 +138,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *c
OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
rv = 1;
err:
+ EVP_MD_CTX_cleanup(&ctx);
return rv;
}
diff -up openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport openssl-1.0.1/crypto/pkcs7/pk7_doit.c
--- openssl-1.0.1/crypto/pkcs7/pk7_doit.c.backport 2012-03-12 17:27:50.000000000 +0100
+++ openssl-1.0.1/crypto/pkcs7/pk7_doit.c 2012-04-05 19:49:40.591289911 +0200
@@ -430,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
STACK_OF(X509_ALGOR) *md_sk=NULL;
STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
PKCS7_RECIP_INFO *ri=NULL;
+ unsigned char *ek = NULL, *tkey = NULL;
+ int eklen = 0, tkeylen = 0;
i=OBJ_obj2nid(p7->type);
p7->state=PKCS7_S_HEADER;
@@ -507,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
int max;
X509_OBJECT ret;
#endif
- unsigned char *ek = NULL, *tkey = NULL;
- int eklen, tkeylen;
if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
{
@@ -609,11 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
{
OPENSSL_cleanse(ek,eklen);
OPENSSL_free(ek);
+ ek = NULL;
}
if (tkey)
{
OPENSSL_cleanse(tkey,tkeylen);
OPENSSL_free(tkey);
+ tkey = NULL;
}
if (out == NULL)
@@ -656,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
if (0)
{
err:
+ if (ek)
+ {
+ OPENSSL_cleanse(ek,eklen);
+ OPENSSL_free(ek);
+ }
+ if (tkey)
+ {
+ OPENSSL_cleanse(tkey,tkeylen);
+ OPENSSL_free(tkey);
+ }
if (out != NULL) BIO_free_all(out);
if (btmp != NULL) BIO_free_all(btmp);
if (etmp != NULL) BIO_free_all(etmp);
diff -up openssl-1.0.1/ssl/d1_srvr.c.backport openssl-1.0.1/ssl/d1_srvr.c
--- openssl-1.0.1/ssl/d1_srvr.c.backport 2012-03-06 14:24:16.000000000 +0100
+++ openssl-1.0.1/ssl/d1_srvr.c 2012-04-05 19:47:36.812632091 +0200
@@ -920,7 +920,7 @@ int dtls1_send_server_hello(SSL *s)
p=s->s3->server_random;
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
- RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+ RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
/* Do the message type and length last */
d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);

4
openssl-1.0.1-beta3-fips.patch
View File

@ -11341,7 +11341,7 @@ diff -up openssl-1.0.1-beta3/crypto/fips/fips_drbg_hmac.c.fips openssl-1.0.1-bet
diff -up openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c
--- openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c.fips 2012-02-29 10:33:02.794294898 +0100
+++ openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c 2012-02-29 10:33:02.794294898 +0100
@@ -0,0 +1,576 @@
@@ -0,0 +1,578 @@
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project.
+ */
@ -11501,6 +11501,8 @@ diff -up openssl-1.0.1-beta3/crypto/fips/fips_drbg_lib.c.fips openssl-1.0.1-beta
+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len);
+ rv = dctx->get_entropy(dctx, &tout, entropy + bl,
+ min_len + bl, max_len + bl);
+ if (tout == NULL)
+ return 0;
+ *pout = tout + bl;
+ if (rv < (min_len + bl) || (rv % bl))
+ return 0;

8
openssl.spec
View File

@ -21,7 +21,7 @@
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 1.0.1
Release: 1%{?dist}
Release: 2%{?dist}
Epoch: 1
# We have to remove certain patented algorithms from the openssl source
# tarball with the hobble-openssl script which is included below.
@ -64,6 +64,7 @@ Patch63: openssl-1.0.0d-xmpp-starttls.patch
Patch65: openssl-1.0.0e-chil-fixes.patch
# Backported fixes including security fixes
Patch81: openssl-1.0.1-beta2-padlock64.patch
Patch82: openssl-1.0.1-backport.patch
License: OpenSSL
Group: System Environment/Libraries
@ -161,6 +162,7 @@ from other formats to the formats used by the OpenSSL toolkit.
%patch65 -p1 -b .chil
%patch81 -p1 -b .padlock64
%patch82 -p1 -b .backport
# Modify the various perl scripts to reference perl in the right location.
perl util/perlpath.pl `dirname %{__perl}`
@ -415,6 +417,10 @@ rm -rf $RPM_BUILD_ROOT/%{_libdir}/fipscanister.*
%postun libs -p /sbin/ldconfig
%changelog
* Thu Apr 5 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-2
- backports from upstream CVS
- fix segfault when /dev/urandom is not available (#809586)
* Wed Mar 14 2012 Tomas Mraz <tmraz@redhat.com> 1.0.1-1
- new upstream release